Re: Trouble using SSL with Tomcat 9

[tomcat]

On 24.09.2017 16:08, Don Flinn wrote:
Andre,
I apologize for not giving all my information. As you perceived, I'm
running Windows. Other info, Windows 10, Tomcat 9, java 1.8.0_144.  As you
suggested, using netstat and telnet I found that port 8443 is not open.
Looking further Windows firewall is controlled by Norton security.  I am
now trying to find out how to open ports in Norton security using the
Norton blog.

Thank you for your help.  As is obvious, I'm a newbee in low level admin
work.  I'm hoping that when I get port 8443 open things will work.  I'll
let you know.

Maybe wait just a second more, before you go digging in the firewall.
You say that you found out that "the port is not open".
That is not the same thing as
- the port /is/ open
- but it cannot be connected to
If netstat shows the port open and listening, but you cannot connect to it with telnet, it 
is probably a firewall issue.
But if the port is not open, then it is a tomcat issue.
Provided that you configured tomcat properly, the port should be open, firewall or no 
firewall. (A firewall can only block access by a client, to a server port that is open. It 
cannot prevent a server process to open that port for listening.)
If it isn't open, the tomcat logs should tell you why.





Don



On Sun, Sep 24, 2017 at 6:44 AM, André Warnier (tomcat) <a...@ice-sa.com>
wrote:

On 24.09.2017 02:36, Don Flinn wrote:

I'm trying to use a self signed certificate generated in keytool.  When I
run the application Chrome, Firefox and internet Explorer using
localhost:8080/<myapp> all the browsers do a redirect to localhost:8443
and
then return This site can’t be reachedL*ocalhost* refused to connect.
There is no red lined out protocol in any of the browsers.  All the Tomcat
logs show no errors or warnings.  I can access applications that are not
protected and tomcat itself.


I would suggest that you first re-read what you wrote above, line by line,
and reflect quietly on what each line is telling you.

1) you say "localhost". That means that you are using a browser as client,
on the same machine as the one which is running the server.
2) you also say that one of the browsers is IE.
3) (1) and (2) together imply that the host in a Windows server (and the
client also of course).
4) you are not saying which version of Tomcat you are using, neither which
version of Java, neither which version of Windows.  That makes helping you
more complicated and time-consuming, and delays any help, because now we
have to ask you, and you have to respond.
5) "refused to connect" : before any kind of SSL dialog can even take
place, the browser must be able to establish a TCP connection to the
host:port in question.
"refused to connect" seens to indicate that this is not the case.
6) the logs do not show anything : that would seem to corroborate (5) :
tomcat does not even see this connection. iow, there is no connection.

There are several possible reasons for this.
a) Tomcat never opens the port 8443 for listening on it.
That can be checked, with tomcat running, with the "netstat" utility
program, included in Windows. With the proper arguments (which I will leave
to you as an exercise)(but "netstat -h" will help), netstat will show you
on which ports tomcat is listening locally.  If this does not include a
":8443" port, then it is not listening on that port, and certainly the logs
of tomcat will tell you why.
b) tomcat does listen on port 8443, but something else is blocking access
to that port.
Then you probably have to check your local firewall settings (or whatever
else in whatever version of Windows may be blocking connections to a port).

Another quick way to check if tomcat (or anything) is listening on port
8443 (and/or something is blocking it) would be, in a command window, to
run the following command :
telnet localhost 8443
(also with tomcat running)
If it also tells you "no connection", then (a) or (b) above would be
confirmed.
If it connects, then you may get another message, due to the fact that it
expects an SSL connection. (If it did not expect an SSL connection, you'd
just get a blank page until you type something else).
Obviously, access to tomcat's port 8080 is fine, so you can compare the
responses above with what happens when you substitute 8080 for 8443.

Once the above is really cleared up, then it may be worth looking at the
rest of the information which you sent below.

  If I set <transport-guarantee>

CONFIDENTIAL</transport-guarantee> to NONE everything works with
localhost:8080.

My SSL files in tomcat -

*server.xml -*

Connector
protocol="org.apache.coyote.http11.Http11NioProtocol" scheme="https"
sslImplementationName="org.apache.tomcat.util.net.jsse.JSSEI
mplementation"
SSLEnabled="true" acceptCount="100" clientAuth="false"
disableUploadTimeout="true" enableLookups="false" maxThreads="25"
port="8443" keystoreFile="c:/temp/mkeystore2.jks" keystorePass="foobar"
secure="true" sslProtocol="TLS" clientAuth="false" />

*web.xml -*

<security-constraint>
      <web-resource-collection>
          <web-resource-name>Financials</web-resource-name>
          <url-pattern>/*</url-pattern>
      </web-resource-collection>
      <user-data-constraint>
          <transport-guarantee>CONFIDENTIAL</transport-guarantee>
      </user-data-constraint>
</security-constraint>

*the output from my keystore  list -*

C:\Users\don\Documents\Mansurus\Security> "%java_home%/bin/keytool.exe"
-list  -v -keystore c:/temp/mkeystore2.jks
Enter keystore password:

Keystore type: JKS
Keystore provider: SUN

Your keystore contains 1 entry

Alias name: tomcat
Creation date: Sep 23, 2017
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=Unknown, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown
Issuer: CN=Unknown, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown,
C=Unknown
Serial number: 6b5fe428
Valid from: Sat Sep 23 12:57:19 EDT 2017 until: Sun Sep 23 12:57:19 EDT
2018
Certificate fingerprints:
           MD5:  11:9D:2C:50:4A:09:9D:17:2F:46:3C:AF:AF:E5:59:EE
           SHA1: 63:EF:21:21:3C:22:82:46:21:84:
9C:81:C6:B0:C1:EC:0F:1C:87:31
           SHA256:
4E:75:D6:6A:6C:23:84:E0:36:AF:CF:1E:56:7D:18:6E:A1:BE:E5:EE:
0B:E5:7B:2A:01:96:DF:49:CA:F1:50:C7
           Signature algorithm name: SHA256withRSA
           Version: 3

Extensions:

#1: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 46 C9 48 D4 54 2A 54 CE   24 1F 22 ED 1D FC 6E 14  F.H.T*T.$."...n..
0010: BE 6F 4A 49                                        .oJI
]
]

What am I doing wrong?  I want to get a self-signed keystore working
before
I purchase a commercial certificate.

Don



---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org





---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org